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Method for monitoring events in a computer network 

The present invention relates to a method for monitoring 
events in a computer network, said computer network trigger- 
5 ing said events, wherein each event is provided with attrib- 
ute values allocated to a given set of attributes. 

With the expansion of the internet, electronic commerce and 
distributed computing, the amount of information transmitted 
via electronic networks is continuously increasing. Such pos- 
sibilities have opened many new business horizons. However, 
they have also resulted in a considerable increase of illegal 
computer intrusions . 

An emerging trend that addresses this problem is the develop- 
ment of intrusion detection systems. These systems are aimed 
to detect attacks on the computer network by monitoring all 
network activities. Network activities are usually monitored 
by the intrusion detection system as a time-ordered sequence 
of events wherein each event is characterized by a given set 
of attributes, so-called dimensions. Each event therefore 
forms an n-dimensional space. 

The monitoring of a high number of events each having many 
attributes triggered by an intrusion-detection system is a 
task that requires high skill and attention from the monitor- 
ing staff, since a large fraction of the triggered events is 
regularly reported. The challenge for an operator of the in- 
trusion detection system is to spot those events that are in- 
dicators of a real security problem. In order to distinguish 
security problem events from "false positive" alarms, the op- 
erators of the intrusion detection system usually watches out 
for interesting event patterns by means of a pattern detec- 
tion algorithm. This pattern detection algorithm enables to 
detect whether an arrived event is part of a given pattern on 
the basis of a comparison of the attributes allocated to this 
given pattern and the attributes assigned to the arrived 
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event. For example, a pattern detection algorithm may deter 
mine whether the events triggered by the intrusion-detectio: 
systems all involve the same source IP, i.e. involve the saj 
attacking machine, or the same destination IP, i.e. involve 
the same attack machine. 

In order to render it possible for the operator to supervise 
the events triggered by the intrusion-detection system a 
suitable event visualization is needed. Current intrusion 
event presentation methods can be classified into three dif- 
ferent groups: a first group of methods provides the operate 
of the intrusion detection system with a tabular text displa 
of the relevant event information. For example, the operator 
console so-called Event Viewer of IBM Tivoli Enterprise Con- 
sole TEC uses such a presentation method. In order to distin 
guish "false" positive events from real security problem 
events, a time-consuming comparison of textual information 
has to be carried out, making it difficult to spot interest- 
ing event patterns. 

A second group of prior art event visualization methods pro- 
vides the operator of the intrusion-detection system with a 
graphical representation of event information, but does not 
present the arrival time of the events. This second group 
method renders it possible to present various relations be- 
tween event attributes. Such a second group method is known 
from Erbacher et al . , Intrusion and Misuse Detection in 
Large-Scale Systems, IEEE CGA (2002) . This document describes 
a visualization method representing security events as lines 
between points, each point representing a specific originat- 
ing IP address or a specific destination IP address. From Gi- 
rardin et al . , A Visual Approach for Monitoring Logs, Proc . 
12 th Usenix System Administraction Conference, Boston, Massa- 
chusetts, USA, 1998, a further second group method is known 
using a parallel coordinate visualization technique to repre- 
sent different attributes of events. The disadvantage of the 
second group methods is that they do not display the event 
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time, which is the most important event attributes. This 
makes it difficult for operators of the intrusion-detection 
system to quickly orient themselves if they have not watched 
the display for a while. 

5 

A third group of prior art event monitoring methods enables 
an event visualization that represents the arrival time of 
events as a separate event attribute. The arrival time of the 
event is regularly displayed as the x-axis of cross-plot. 

10 From Ma et al . , Event Miner: An Integrated Mining Tool for 
Scalable Analysis of Event Data, May 2002, a visualization 
method is known using a two-dimensional mapping technique of 
arbitrary event attributes versa arrival time enabling an op- 
erator to analyze the event history. The disadvantage of this 

15 method is that only one of the event attributes may be plot- 
ted versus the arrival time of the events. Thus, the opera- 
tors have to switch continuously between the various event 
attributes to make sure that they do not miss a significant 
event pattern. From Haines et al . , Visualization Techniques 

20 for Event Stream Analysis, Eurographics UK Chapter 15 th An- 
nual Conference, Norwich, 1997, an event visualization tech- 
nique is known using a vertical stack of cross plots to dis- 
play multi-event attributes versus event arrival time. This 
known visualization technique works well if only a few event 

25 attributes have to be monitored simultaneously on a screen. A 
problem may, however, occur if an operator of the intrusion 
detection system has to supervise a large number of event at- 
tributes. He then has to simultaneously watch a large number 
of different plots each displaying an evfent attribute versus 

3 0 the event arrival time. In consequence, a high attention of 
the operator is required to detect all the security problems 
derivable from the displayed events. 

In the view of the foregoing, an object of the present inven- 
3 5 tion is to provide a method of monitoring events in a com- 
puter network enabling an operator of an intrusion-detection 
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system to simultaneously monitor various event attribute- 
versus the arrival time of the events. 

This object is met by a method of monitoring events in a 
puter network according to claim 1. Preferred embodiments 
disclosed in the dependent claims. 

The inventive method of monitoring events in a computer „, 
work, said computer network triggering said events, each 
10 event being provided with attribute values allocated to a 
gxven set of attributes includes the steps of providing ar 
event display with a cross plot having two coordinate axes 
the x-axis presenting a time period and the y-axis present 
an attribute value range, determining a primary attribute 
L5 the events selected from the given set of attributes to be 
presented with its attribute values on the y-axis of the 
cross plot, allocating a first display label to the events 
indicating the attribute values of the primary attribute 
providing a pattern algorithm to detect whether an arrived 
event is part of a given pattern on the basis of a comparis 
of the attributes allocated to the given pattern and of the 
attributes assigned to the arrived event, providing a mappi- 
algorithm to map any attribute value of an attribute select! 
from the given set of attributes onto the y-axis of the cro, 
Plot, allocating a second display label to the events indi- 
cating the attribute value of the attributes being uncovered 
as part of the given pattern, plotting all the events arrive 
within the time period and including an attribute value alio 
cated to a primary attribute into the cross plot with the 
first display label indicating the primary attribute, the po 
sition of the f irs t display label of each event in the cross 
Plot being determined on the basis of the attribute value of 
the primary attribute of the event and its arrival time, and 
Plotting all the events arrived within the time period and 
being detected by the pattern algorithm as part of the given 
Pattern into the cross plot with the second display label in- 
dicating the given pattern, the position of the second dis- 
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play label of each event in the cross plot being determined 
by the mapping algorithm on the basis of the attribute value 
of the attribute of the event as being uncovered as part of 
the given pattern and its arrival time. 

The inventive event visualization method only renders it nec- 
essary for an operator of the intrusion-detection system to 
supervise one single cross plot, which displays all relevant 
events. The x-axis of the cross plot of the event display in- 
dicates the arrival times of the relevant events. The y-axis 
represents the primary attribute values of the events in 
which the examiner is mainly interested. Additionally, all 
the events being detected by the pattern algorithm as part of 
an interesting event pattern are displayed in the cross plot. 
In order to differentiate the events associated with the pri- 
mary attribute from the events being part of the interesting 
event pattern, a first display label is assigned to all 
events including a primary attribute value and a second dis- 
play label is assigned to all events indicating the attribute 
values of the attributes being uncovered as part of the rele- 
vant event pattern. By using the inventive method of monitor- 
ing events, the event display presents a plot of information 
of the main event attribute versus the arrival time of the 
event by using a first display label for the plotted events 
wherein the interesting event pattern derived from other 
event attributes is simultaneously presented by using the 
second display label for these events. If the operator of the 
intrusion detection system wants to investigate the events 
being detected as part of a given pattern in more detail, he 
can easily switch to the corresponding event attribute by se- 
lecting a mark of the second display label in the cross plot. 

According to a preferred embodiment, the attribute values and 
the arrival time of a new event are recorded, on the basis of 
the recorded attribute values of the event it is determined 
whether or not the newly arrived event includes an attribute 
value of the primary attribute ■ and if. the newly arrived event 



CH920020049 



6 



10 



15 



>0 



includes such an attribute value, the x-axis of the « 
plot is shifted so that the time period being presente 
the x-axis covers the arrival time of the event so tha 
events arrived within the shifted time period may be p 
into the cross plot with the first display label indie 
their primary attribute values. This performance enabl. 
fast display of the events including the primary attril 

According to a further preferred embodiment, it is dec* 
on the basis of a recorded attribute value of a newly a 
event whether or not the newly arrived event is part of 
given pattern on the basis of a comparison of the attri 
allocated to a given pattern and of the attributes assi 
to the arrived event, if the newly arrived event includ 
attribute value of the given pattern, the newly arrived 
is added to the previous events being detected as part < 
given pattern and all the events being associated with t 
given pattern are re-drawn in the cross plot. This techr 
enables a fast display of the events associated with an 
teresting event pattern. 



Moreover, if a newly arrived event does not include an a 
trrbute value of the given pattern it is preferred to de 
mine on the basis of recorded attribute values of all pr 
ous arrived events by means of the pattern algorithm whe 
or not a newly arrived event is part of a new pattern on 
basis of a comparison of the attributes allocated to the 
pattern and of the attributes assigned to the arrived ev € 
If the newly arrived event forms a new pattern together * 
the previously recorded events, a third display label is 
located to the events indicating the attribute values of 
attributes being uncovered as part of the new pattern. Th 
all the events being detected by means of the pattern alg. 
rxthm as part of the new pattern are plotted into the cro. 
Plot with a third display label indicating the new patter, 
This technique enables that the event display always pre^ 
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all event patterns in all attribute dimensions independen 
from the actually selected dimension. 

Moreover, according to another preferred embodiment, if t 
an operator wants to change the primary attribute to be d 
played on the event display and therefore switches to ano 
event attribute, all the events labels are removed from t 
cross plot. Then a further display label is allocated to 
events indicating the attribute values of the new primary 
tribute. Finally all the events arrived within the time p 
riod presented on the x-axis of the cross plot and includ 
an attribute value of the new primary attribute are plott 
into the cross plot with the further display label indica 
the new primary attribute. This technique enables the ope 
tor a fast change between interesting attributes of event 
triggered by the computer network. 

According to another preferred embodiment, if the operato 
selects one of the events, e.g- by moving the cursor near 
over the plotted event display label, all the attribute v 
ues recorded for this event are plotted into the cross pl< 
with their respective display labels. Moreover, textual i: 
formation associated with the selected event may be displ- 
on the event display. This technique enables the operator 
quickly obtain all the information necessary to evaluate 
interesting event . 

According to another preferred embodiment, the pattern al< 
rithm is suitable to perform multi-attribute pattern recc 
tion so that various interesting event patterns may be si} 
taneously displayed in the cross plot. In order to improv 
the visualization of the pattern, it is further preferred 
that all the events uncovered as part of the pattern are 
clustered by a corresponding display label to distinguish 
interesting event pattern from other patterns. The preseni 
tion of the events is further improved by using display 1< 
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bels for indicating the events in the cross plot includi: 
specific color and/or a specific mark layout. 

The foregoing and other objects, features and aspects an< 
vantages of the present invention will become more appar. 
from the following detailed description of the present ii 
tion when taken in conjunction with the accompanied draw: 

Figure 1 is a conceptual view on the inventive method of 
monitoring events in a computer network; 

Figure 2 is an inventive processing flow to display a nev 
arrived event ; 

Figure 3 is a processing flow for a user input to switch 
primary attribute of the events to be displayed; 

Figure 4 is a processing flow for a user input to select 
specific event to be displayed in detail; and 

Figure 5 is a data-flow diagram disclosing the functional 
components involved in generating the inventive event vis 
alization. 

Carefully logging network activities is essential to meet 
requirements of high security and optimal resource availa 
ity. However, detecting break- in attempts within the netw 
activities is a difficult task. Making the distinctions b 
tween misuse and normal use and identifying intrusions us 
novel attack techniques is difficult. 

The invention deals with an improved visual approach for 
monitoring events triggered by one or more intrusion dete 
tion systems in a computer network. However, the invent iv 
technique may also be useful for displaying other types o 
events, not just intrusion events. 
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The monitoring of events, in particular intrusion events, is 
a task that requires high skill and attention from the moni- 
toring staff. The reason for this is that a large fraction of 
the reported events are simply so-called w false" positive 
alarms. The challenge for the operator is therefore to spot 
those events that are associated with a real security prob- 
lem. In order to identify such security events, the operator 
of the intrusion detection system is on the one hand inter- 
ested in continuously watching a main characteristic of the 
incoming events and on the other hand to uncover interesting 
event patterns. Intrusion detection systems normally generate 
events provided with attribute values allocated to a given 
set of attributes to supervise the network activities. These 
attributes are frequently called dimensions. 

It is the object of present intrusion detection visualization 
technique to display event information in such a way that it 
makes easy for an operator to distinguish false positive 
events from events belonging to a security problem. The in- 
ventive visualization technique, which is detailed below per- 
forms a visual fusion of multi-event attributes on a single 
display. The inventive method improves the state of the art 
by helping the operator to become aware of all relevant event 
patterns while looking only at a single monitor screen with- 
out the need to cycle around through multiple displays. 

According to the invention, events which are triggered in a 
computer network, each event being provided with values allo- 
cated to a given set of dimensions, are monitored with a 
cross plot having two coordinate axes, the x-axis presenting 
a time period and the y-axis presenting a selected dimension 
value range. The operator determines a primary dimension of 
the events selected from the given set of dimensions to be 
presented with its dimension values on the y-axis of the 
cross plot. This primary dimension is associated with a first 
unique label, preferably a unique color or a unique mark lay- 
out. Moreover, it is preferred that each dimension of the 
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given set of dimensions is associated with a unique label. 
Moreover, a pattern algorithm is provided in the event moni 
toring device to detect whether an arrived event is part of 
given pattern on the basis of a comparison of the dimensions 
allocated to the given event pattern and the dimensions as- 
signed to an arrived event. It is preferred that the patterr 
algorithm is able to simultaneously detect a multitude of 
event patterns. Moreover, the event monitoring device is pre 
vided with a mapping algorithm to map any dimension value of 
a dimension selected from the given set of dimensions onto 
the dimension value range of the selected primary dimension 
presented on the y-axis of the cross plot. 

The event visualization is performed in that all events ar- 
rived within the time period presented on the x-axis of the 
cross plot and including a dimension value allocated to the 
primary dimension are plotted into the cross plot with the 
corresponding display label indicating the primary dimension. 
The position of the display label of each plotted event is 
determined on the basis of the corresponding dimension value 
of the primary dimension of the event and its arrival time. 
Further, all the events that arrived within the time period 
presented on the x-axis and being detected by means of a pat- 
tern algorithm as part of the given pattern, are also plotted 
into the cross plot with a unique second display label indi- 
cating the given pattern. The second display label indicating 
the pattern is preferably an additional mark layout combining 
all the events corresponding to the pattern in the cross 
plot. The position of the second display label of pattern 
events in the cross plot is determined by the mapping algo- 
rithm on the basis of the dimension values of the dimensions 
of the events being uncovered as part of the pattern and 
their arrival time. 

Figure 1 presents a series of eight events E n to E n+8 being 
recorded one after the other by the inventive event visuali- 
zation device. Each event is associated with a set of dimen- 
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sions p, three dimensions pi . to p3 being indicated. Figure 1 
shows a time vector on which the arrival time of each event 
E n to E n+ 8 is marked. Below the time vector, Figure 1 further 
shows three cross plots, the x-axis of each cross-plot pre- 
senting a time period and the y-axis of each cross-plot pre- 
senting a dimension value range for dimensions pi to p3 , re- 
spectively. In the first cross plot, all the events arrived 
within the time period and including a dimension value allo- 
cated to the dimension pi are plotted with a first color. The 
same applies to all the events including a dimension value 
allocated to the dimension p2 in the second cross plot and to 
all the events including a dimension value allocated to the 
dimension p3 in the third crpss plot. 

In the embodiment presented in Figure 1, the operator has de- 
termined dimension pi of the recorded events as the primary 
dimension. In consequence the pattern algorithm explores 
whether any of the dimensions pi to p3 , are covered by a 
given pattern. For example the pattern algorithm examines 
whether all the events involve the same source IP and the 
same destination IP. All the events uncovered as part of the 
given pattern are connected with lines, as shown in the sec- 
ond cross plot and the third cross plot. 

All the three cross plots pi to p3 are finally combined to 
one single cross plot shown at the bottom of Figure 1, 
wherein all the events arrived within the time period and in- 
cluding a dimension value allocated to the primary dimension 
pi are plotted with the associated unique color and mark lay- 
out. Further, all the events arrived within the time period 
and being detected by the pattern algorithm as part of the 
given pattern, are plotted into the cross plot with their 
unique colors indicating the respective dimensions of the 
pattern wherein all the events of the pattern are connected 
with lines. 
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The inventive method of event visualization enables the op- 
erator with a single view onto the x-y-coordinate system to 
monitor all the relevant events occurring in a computer net- 
work. The inventive technique provides the possibility that 
the operator may look at any time at a plot of information 
dealing with one primary event dimension. These events are 
plotted with a unique display label. Moreover, all the inter- 
esting event patterns of the other dimension plots superim- 
pose this primary dimension plot indicated by their corre- 
sponding unique display labels. 

Figure 2 presents a processing flow for a newly arrived 
event. If a new event E n arrives (step SI), the dimension 
values and arrival time of the newly arrived event are re- 
corded. Furthermore, on the basis of the recorded dimension 
values, it is determined whether or not the newly arrived 
event includes a dimension value of the primary dimension. If 
the newly arrived event includes a dimension value of the 
primary dimension, in step 2 the event display is shifted to 
make room for the plot of the newly arrived event, i.e. the 
x-axis of the event display is shifted so that the time pe- 
riod presented on the x-axis of the plot covers the arrival 
time of the newly arrived event. Moreover, all the events 
which are recorded before the new time period presented on 
the x-axis are removed. This also applies to all the patterns 
without any current events within the time period presented 
on the x-axis of the cross plot. In the next step S3, the 
newly arrived event is plotted into the cross plot with the 
unique color associated with the primary dimension. Then in 
step 4, on the basis of the recorded dimension value of all 
previously arrived events, it is determined by means of the 
pattern algorithm whether the newly arrived event is part of 
the given pattern on the basis of a comparison of the dimen- 
sions allocated to the given pattern and the dimensions as- 
signed to the newly arrived event. If the newly arrived event 
includes a dimension value of the given pattern, the event is 
added in step 5 to the previous events being detected as part 
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of the given pattern and all these events being associated 
with the given pattern are re-drawn in the cross plot. 

If the newly arrived event does not include a dimension value 
of the given pattern, it is determined in step S6 on the ba- 
sis of the recorded dimension values of the previously ar- 
rived events by means of the pattern algorithm whether or not 
the newly arrived event is part of a new pattern on the basis 
of a comparison of the dimensions allocated to the new pat- 
tern and the dimension values assigned to the arrived event. 
If the newly arrived event forms a new pattern together with 
the previously recorded events, all the events detected as 
part of the new pattern are plotted into the cross plot with 
their unique colors corresponding to the respective dimen- 
sions (step S7). If no new pattern is detected, the program 
flow is terminated (step S8) . 

Figure 3 shows a program flow enabling the operator to change 
the primary dimension to be displayed. In a first step Sll, 
the operator switches the primary dimension to be displayed. 
In the next step S12, the new primary dimension is selected. 
The program then clears the display (step S13) and plots all 
the events arrived within the time period and including a di- 
mension value allocated to the new primary dimension into the 
cross plot with a corresponding display label indicating the 
new primary dimension (step S14) . Then, all the detected pat- 
terns are also plotted into the cross plot (step S15) . 

If the operator intends to investigate the context of the 
pattern in more detail, a program flow may take place as 
shown in Figure 4. The operator may move the cursor to a 
plotted dot in the display and selected this dot (step S21) . 
In the next step S22, the program plots all the dimension in- 
formation into the cross plot corresponding to the selected 
event. Further, a full picture of the event is displayed in a 
further step S23 by presenting a textual representation of 
all the event properties. The textual representation of the 
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event properties can be provided either in a separate window 
7X labeling .11 the displayed event dots. The step 823 -or 
be triggered separately by the operator, for example wrth a 
further push of a mouse key, when the cursor controlled by 
5 the mouse is located at the plotted dot. It is possxble that 
the operator may select multiple events, for example, by 
shift clicking. 

Figure 5 shows a data flow diagram presenting the functional 
10 components involved in the inventive event visualization 
technique. The central device 1 is the event dxmen- 
sion/display mapping component. The central device 1 takes 
the following information as an input: Information on de- 
tected event patterns from a pattern detector 2. Further 
15 mapping definition information as input from a corresponding 
mapping database 3. This information specifies a function for 
TZ event dimension that maps any event dimension value into 
a value range of the y-axis of the corresponding event dis- 
play x-y-coordinate system. In order to carry out this map- 
20 ping performance, the mapping definition information speci- 
"~ fies a family of functions m with individual functions nwen- 
sion : domain dimensi on - > Z. Further, the central device 1 re- 
ceives information on the current selected primary event di- 
mension 4 to be displayed and information on the current 
25 event from the event database 5. Said event database 5 xb 

also connected to the pattern detector 2. On the basis of the 
input information, the central device 1 determines the events 
and the patterns to be displayed and output the data to be 
displayed to the event and pattern display 6. Said event and 
30 pattern display 6 enables an interaction with the operator, 
the operator interaction may affect the event database 5 
and/or the selected dimension 4. 

Figure 1 of the present application shows as an example a 
35 linear pattern, i.e. all dots are located on a single row 
which is detected by the pattern algorithm and visualized 
However, also more complex dimension patterns can be detected 
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by the pattern detection algorithm and be displayed in a 
similar manner, as shown in Figure 1. To present a complex 
pattern, the display technique may highlight the involved 
event dots and possibly connect them with a polygon line to 
emphasize the pattern. The inventive method not only performs 
"wathm dimension" patterns, but also may use an algorithm to 
detect multi-dimension patterns. The pattern detection algo- 
rithm might further use background information such as the 
operating system, vulnerabilities of the attacked machine as 
well as other information gathered from a network security 
scan. It is also possible to integrate such event background 
^formation as additional displayable event dimensions. 

A problem with plotting information on multi-dimensions into 
a single cross plot may be that the dots can be clustered and 
occlude each other. To reduce such a clustering of the dis- 
played dimensions, it may be possible to assign a unique im- 
position to each dimension. 
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Claims 

1. A method of monitoring events in a computer network, 

said computer network triggering said events, each event 
being provided with attribute values allocated to a 
given set of attributes, 
comprising the steps of 

providing an event display with a cross plot having two 
coordinate axes, the x-axis presenting a time period and 
the y-axis presenting an attribute value range, 
determining a primary attribute of the events selected 
from the given set of attributes to be presented with 
its attribute values on the y-axis of the cross plot, 
allocating a first display label to the events indicat- 
ing the attribute values of the primary attribute, 
providing a pattern algorithm to detect whether an ar- 
rived event is part of the given pattern on the basis of 
a comparison of the attributes allocated to the given 
pattern and of the attributes assigned to the arrived 
event , 

providing a mapping algorithm to map any attribute value 
of an attribute selected from the given set of attrib- 
utes onto the y-axis of the cross plot, 

allocating a second display label to the events indicat- 
ing the attribute values of the attributes being uncov- 
ered as part of the given pattern, 

plotting all the events arrived within the time period 
and including an attribute value allocated to the pri- 
mary attribute into the cross plot with the first dis- 
play label indicating the primary attribute, the posi- 
tion of the first display label of each event in the 
cross plot being determined on the basis of the attrib- 
ute value of the primary attribute of the event and its 
arrival time, and 

plotting the all events arrived within the time period 
and being detected by means of the pattern algorithm as 
part of the given pattern into the cross plot with the 
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second display label indicating the given pattern, the 
position of the second display label of each event in 
the cross plot being determined by the mapping algorit 
on the basis of the attribute value of the attribute 
the event being uncovered as part of the given pattern] 
and its arrival time. 



10 
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The method according to claim 1 comprising the further 
steps of 

recording the attribute values and the arrival time of 
new event, 

determining on the basis of the recorded attribute val- 
ues of event whether or not the newly arrived event in- 
cludes an attribute value of the primary attribute, 
if the newly arrived event includes an attribute value 
for the primary attribute shifting the x-axis of the 
cross plot so that the time period being presented on 
the x-axis covers the arrival time of the event, and 
plotting the event arrived within the shifted time pe-^ 
riod into the cross plot with the first display label 
indicating the primary attribute. 



25 



30 



The method according to claim 2 comprising the further 
steps of 

determining on the basis of the recorded attribute val- 
ues of event whether or not the newly arrived event is; 
part of the given pattern on the basis of a comparison; 
of the attributes allocated to the given pattern and of 
the attributes assigned to the arrived event, 
if the newly arrived event includes an attribute value; 
of the given pattern adding the event to the previous 
events being detected as part of the given pattern, and 
redrawing all the events being associated with given 
pattern in the cross plot. 
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The method according to claim 3 comprising the further 

trthelLly arrived event does not include an attribute 

value of the given pattern, 

th . v-.is D f the recorded attribute val- 
determining on the basis or tne r 

ues of all previous arrived events by means of the pat- 
tern algorithm whether or not the newly arrived event is 
part of a new pattern on the basis of a comparison of 
the attributes allocated to the new pattern and of the 
attributes assigned to the arrived events, if the newly 
arrived event forms together with previous recorded 
events the new pattern, allocating a third display label 
to the events indicating the attribute values of the at- 
tributes being uncovered as part of the new pattern and 
plotting the all events being detected by means of the 
pattern algorithm as part of the new pattern into the 
Loss plot with the third display label indicating the 
ne „ pattern, the position of the third display label of 
each event in the cross plot being determined by the 
mapping algorithm on the basis of the attribute value of 
the attribute of the event being uncovered as part of 
the new pattern and its arrival time. 

The method according to any of claim 1 to 4 comprising 
the further steps of N 

removing all the events including an attribute value al- 
located to the primary attribute from the cross plot, xf 
a primary attribute to be presented with its attrxbute 
values on the y-axis of the cross plot is changed 
allocating a fourth display label to the events xndxcat- 
ing the attribute values of the new primary attrxbute, 

and . 
plotting all the events arrived within the txme perxod 
and including an attribute value allocated to the new 
primary attribute into the cross plot with the fourth 
display label indicating the new primary attribute, the 
position of the fourth display label of each event xn 
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the cross plot being determined on the basis of the at- 
tribute value of the primary attribute of the event and 
its arrival time. 

6. The method according to any of claim 1 to 5 comprising 
the further steps of 

plotting all attribute values recorded for an event with 
the respective display label into the cross plot if the 
event is selected by an operator, and 

displaying textual information associated with the se- 
lected event on the event display. 

7. The method according to any of claim 1 to 6, wherein the 
pattern algorithm is suitable to perform multi-attribute 
pattern recognition. 

8. The method according to any of claim 1 to 7 , wherein 
each display label includes a specific color and/or a 
specific mark layout. 

9. The method according to any of claim 1 to 8, wherein all 
events being uncovered as part of the pattern are clus- 
tered by the corresponding display label. 

10. A computer program containing a program code to carry 
out the steps of the method of any of claims 1 to 9, 
when the program code is running on a computer. 

11. A computer program containing a program code to carry 
out the steps of the method of any of claims 1 to 9, 
said program code being stored on data carrier. 

12. An event visualization device for monitoring events in a 
computer network, the device comprising means to perform 
the steps of the method as claimed in claims 1 to 9 . 



CH920020049 



20 



Abstract 



The present invention relates to a method of monitoring 
events in a computer network, said computer network trigger- 
ing said events, each event being provided with attribute 
values aliocated to a given set of attributes, which includes 
the steps of providing an event display with a cross plot 
having two coordinate axes, the X-axis presenting a time pe- 
riod and the y-axis presenting an attribute value range, de- 
termining a primary attribute and a corresponding display la- 
be! of the events selected from the given set of attributes 
to be presented with its attribute values on the y-axis of 
the cross plot, providing a pattern algorithm to detect 
whether an arrived event is part of a given pattern on the 
basis of a comparison of the attributes allocated to the 
given pattern and of the attributes assigned to the arrived 
event, providing a mapping algorithm to map any 
value of an attribute selected from the given set of attrrb 
utes onto the y-axis of the cross plot, allocating a second 
display label to the events indicating the attribute value of 
the attributes being uncovered as part of the given pattern, 
plotting all the events arrived within the time period and 
including an attribute value allocated to a primary attribute 
into the cross plot with the first display label indicating 
the primary attribute, and plotting all the events arrived 
within the time period and being detected by the pattern al- 
gorithm as part of the given pattern into the cross plot with 
the second display label indicating the given pattern. 



[Fig. 2] 
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Figure 3 
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